Last
week, I said I'd be discussing the business models used by Linux
distributors and vendors of other open source software. While it's still
my intention to do so, I just couldn't neglect a fascinating tale that
unfolded this week surrounding the Secure Shell (SSH) Internet
protocol and its related software.

While the search for truly workable open source business models remains a
challenge, the SSH experience offers a textbook case of a business
practice that, from what I can see, is doomed to fail.
SSH is a sort of secure Telnet-type connection running over an encrypted
channel and featuring full public-key-based
authentication. The first release was developed under an
open license and attracted a worldwide community of developers. SSH
head developer Tatu Ylonen submitted the underlying protocol as an Internet
standard.

Version one of SSH became quite a community project. Because of U.S.
government restrictions, it wasn't adopted as quickly as proponents
would have liked. But for many security-conscious folk, SSH became
the replacement for Telnet and FTP.

And then, midway through the development of release 1.2.12 in 1995, Ylonen
quietly changed the license to a
more restrictive one that prohibited commercial distribution and
asserted a trademark on the name "ssh." He then incorporated a company,
SSH Communications Security, to sell the software to commercial users. The
company would later make a second version of the commercial SSH software
that was incompatible with the old open one.

The Finland-based company is now in a war of words and lawyers' letters
with developers of an increasingly popular open source implementation
known as OpenSSH. The OpenSSH
developers, many of whom worked on the original SSH community project,
viewed the license restrictions as a betrayal. It was one thing for Ylonen
to try to make a buck off his work, but the new licensing prohibited any
of the other developers from doing so.

The developers responded in the only way they knew how. They took the last
version of SSH that was completely open source and created a new project
to maintain and extend a free version of it. That project became OpenSSH
and was shepherded by the OpenBSD
group, which already had a reputation for being obsessed with secure free
software.

Within the last year, a number of events have converged to turn the
rivalry into a full-blown competition. Most importantly, OpenSSH finally
became good enough to use as a drop-in replacement for the proprietary
stuff.
Meanwhile, SSH Communications Security raised $14
million in capital, a move that gave the company lots of cash in
return for a new leadership with less tolerance for the free alternative.
Add the U.S. government's relaxing
of its restrictions on cryptography, and you had a volatile situation
just waiting for a head-on confrontation.

That confrontation started last week when SSH Communications spent some of
that $14 million on lawyers. The goal? Force OpenSSH to change its name.
The weapon? A U.S. trademark on
the lower-case letters ssh. The chance of success? Slim to none,
according to OpenBSD leader Theo de Raadt, who also says there's no reason
or desire within the OpenSSH community to change the name.

There are many arguments being given throughout the community for the futility of any
legal action. Here is a sample:

OpenBSD and OpenSSH are based in Canada, which doesn't
necessarily recognize the SSH trademark.

The trademark is only on a specific graphic of the letters SSH in
lower case in a specific font. The term SSH itself isn't trademarked.

As they produce software that's freely downloadable, the OpenSSH
developers are arguably not engaged in commercial gain. According to one
interpretation of the U.S. trademark law , this prevents any
trademark-related action against OpenSSH.

Who do you sue? The individual developers scattered around the world?
OpenSSH maintains no formal organized structure. And if the company won,
how much in damages could be extracted from these volunteers?

In honesty, few of the people offering such opinions are lawyers. But de
Raadt says he's consulted enough legal professionals to assure him that
any real action on the matter would get the Finns nowhere. He says the
OpenSSH project has no intention of changing its name or even reacting to
the threat. And as if to rub salt in the wound, the OpenSSH folk this week
announced a new release of their software. Version 2.5.1
fixes some compatibility problems with the commercial SSH, furthering
OpenSSH's push to outdo the proprietary version at its own game.

Maybe SSH Communications Security will continue to be profitable despite
the existence of a freely available (and now completely compatible)
version. The company seems faced with two options: It can pursue a costly
legal attack with no guarantee of winning, and reap only negligible
returns if it does win. Or it can back away, leaving OpenSSH an
opportunity to call its bluff, thus drawing even more attention to the
free software upstarts.

Somehow I think things would have been less messy had Ylonen not changed
the SSH license in mid-stream. This is not a business practice worth
emulating.

What do you think of the SSH-OpenSSH skirmish? Let me know in the TalkBack below.Last
week, I said I'd be discussing the business models used by Linux distributors and vendors of other open source software. While it's still
my intention to do so, I just couldn't neglect a fascinating tale that unfolded this week surrounding the Secure Shell (SSH) Internet
protocol and its related software.

While the search for truly workable open source business models remains a
challenge, the SSH experience offers a textbook case of a business
practice that, from what I can see, is doomed to fail.
SSH is a sort of secure Telnet-type connection running over an encrypted
channel and featuring full public-key-based
authentication. The first release was developed under an
open license and attracted a worldwide community of developers. SSH
head developer Tatu Ylonen submitted the underlying protocol as an Internet
standard.

Version one of SSH became quite a community project. Because of U.S.
government restrictions, it wasn't adopted as quickly as proponents
would have liked. But for many security-conscious folk, SSH became
the replacement for Telnet and FTP.

And then, midway through the development of release 1.2.12 in 1995, Ylonen
quietly changed the license to a
more restrictive one that prohibited commercial distribution and
asserted a trademark on the name "ssh." He then incorporated a company,
SSH Communications Security, to sell the software to commercial users. The
company would later make a second version of the commercial SSH software
that was incompatible with the old open one.

The Finland-based company is now in a war of words and lawyers' letters
with developers of an increasingly popular open source implementation
known as OpenSSH. The OpenSSH
developers, many of whom worked on the original SSH community project,
viewed the license restrictions as a betrayal. It was one thing for Ylonen
to try to make a buck off his work, but the new licensing prohibited any
of the other developers from doing so.

The developers responded in the only way they knew how. They took the last
version of SSH that was completely open source and created a new project
to maintain and extend a free version of it. That project became OpenSSH
and was shepherded by the OpenBSD
group, which already had a reputation for being obsessed with secure free
software.

Within the last year, a number of events have converged to turn the
rivalry into a full-blown competition. Most importantly, OpenSSH finally
became good enough to use as a drop-in replacement for the proprietary
stuff.
Meanwhile, SSH Communications Security raised $14
million in capital, a move that gave the company lots of cash in
return for a new leadership with less tolerance for the free alternative.
Add the U.S. government's relaxing
of its restrictions on cryptography, and you had a volatile situation
just waiting for a head-on confrontation.

That confrontation started last week when SSH Communications spent some of
that $14 million on lawyers. The goal? Force OpenSSH to change its name.
The weapon? A U.S. trademark on
the lower-case letters ssh. The chance of success? Slim to none,
according to OpenBSD leader Theo de Raadt, who also says there's no reason
or desire within the OpenSSH community to change the name.

There are many arguments being given throughout the community for the futility of any
legal action. Here is a sample:

OpenBSD and OpenSSH are based in Canada, which doesn't
necessarily recognize the SSH trademark.

The trademark is only on a specific graphic of the letters SSH in
lower case in a specific font. The term SSH itself isn't trademarked.

As they produce software that's freely downloadable, the OpenSSH
developers are arguably not engaged in commercial gain. According to one
interpretation of the U.S. trademark law , this prevents any
trademark-related action against OpenSSH.

Who do you sue? The individual developers scattered around the world?
OpenSSH maintains no formal organized structure. And if the company won,
how much in damages could be extracted from these volunteers?

In honesty, few of the people offering such opinions are lawyers. But de
Raadt says he's consulted enough legal professionals to assure him that
any real action on the matter would get the Finns nowhere. He says the
OpenSSH project has no intention of changing its name or even reacting to
the threat. And as if to rub salt in the wound, the OpenSSH folk this week
announced a new release of their software. Version 2.5.1
fixes some compatibility problems with the commercial SSH, furthering
OpenSSH's push to outdo the proprietary version at its own game.

Maybe SSH Communications Security will continue to be profitable despite
the existence of a freely available (and now completely compatible)
version. The company seems faced with two options: It can pursue a costly
legal attack with no guarantee of winning, and reap only negligible
returns if it does win. Or it can back away, leaving OpenSSH an
opportunity to call its bluff, thus drawing even more attention to the
free software upstarts.

Somehow I think things would have been less messy had Ylonen not changed
the SSH license in mid-stream. This is not a business practice worth
emulating.